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Abstract. Many quantum algorithms, including Shor's celebrated fac- 
toring and discrete log algorithms, proceed by reduction to a hidden 
subgroup problem, in which a subgroup H of a group G must be deter- 
mined from a quantum state ij) uniformly supported on a left coset of 
H. These hidden subgroup problems are then solved by Fourier sam- 
pling: the quantum Fourier transform of ij) is computed and measured. 
When the underlying group is non-Abelian, two important variants of 
the Fourier sampling paradigm have been identified: the weak Standard 
method, where only representation names are measured, and the strong 
standard method, where full measurement occurs. It has remained open 
whether the strong Standard method is indeed stronger, that is, whether 
there are hidden subgroups that can be reconstructed via the strong 
method but not by the weak, or any other known, method. 
In this article, we settle this question in the amrmative. We show that 
hidden subgroups of semidirect products of the form l q x Z p , where 
q | (p — 1) and q = p/polylog(p), can be efficiently determined by the 
strong standard method. Furthermore, the weak Standard method and 
the "forgetful" Abelian method are insufRcient for these groups. We ex- 
tend this to an information-theoretic solution for the hidden subgroup 
problem over the groups Z q k Z p where q (p — 1) and, in particular, the 
Afhne groups A p . Finally, we prové a closure property for the class of 
groups over which the hidden subgroup problem can be solved efficiently. 
Submission Track: A 



1 The Hidden Subgroup Problem 

Simon's algorithm for the "XOR-mask" oracle problem Jüj and Shor's factoring 
algorithm [F^ determine an unknown ("hidden") subgroup H of a given group 
G in the following way. 

Step 1. Prepare two registers, the first in a uniform superposition over the 
elements of a group G and the second with the value zero, yielding the state 
Í> = cg- E 9GG l3> ® |0>, where c G = l/^\G\. 



Step 2. Calculate a (classical polynomial-time) function F defincd on G and 
XOR it with the second register. This entangles the two registers and results 
in the state tp = c G ■ £ geG \d) ® \F(g)). 

Step 3. Measure the second register. This produces a uniform superposition 
over one of F's level sets, i.e., the set of group elements g for which F(g) 
takes a particular value Fq. If the level sets of F are the cosets of H, this 
puts the first register in a uniform distribution over superpositions on one 
of those cosets, namely cH where F(c) — Fq. Moreover, it disentangles the 
two registers, resulting in the state ip = (1/ \/\H\) J2heH ® l-^b)- 

Write the amplitudes of the basis states in the first register as the function 

I otherwise. 

The approach taken by Simón and Shor is to perform Fourier Sampling 1 : carry 
out a quantum Fourier transform on /, and measure the result. 

In Simon's case, the "ambient" group G, over which the Fourier transform is 
performed, is Z£ and H is a subgroup of index 2. In Shor's case (factoring), G is 
the cyclic group Z* where n is the number we wish to factor, F(x) — r x mod n 
for a random r < n, H is the subgroup of Z* of index order(r), and the Fourier 
transform is the familiar Abelian one. (However since |Z* | is unknown, the above 
algorithm is actually performed over Z g where q is polynomially bounded by n; 
see or |7I8|.) To solve the elusive Graph Automorphism problem, on the 
other hand, it would be suficient to solve the HSP over the permutation group 
S n ; see, e.g., Jozsa ^21 f° r a review. It is partly for this reason that the non- 
Abelian HSP has remained such an active area of quantum algorithms research. 

In general, we will say that the HSP for a family of groups has a Fourier sam- 
pling algorithm if a procedure similar to that outlined above works. Specifically, 
the algorithm prepares a superposition of the form Q , computes its (quantum) 
Fourier transform, and measures the result in a basis of its choice. After a poly- 
nomial number of such trials, a polynomial amount of classical computation, 
and, perhaps, a polynomial number of classical queries to the function F to con- 
firm the result, the algorithm produces a set of generators for the subgroup H 
with high probability. 

Since we are typically interested in exponentially large groups, we will take 
the size of our input to be n — log \ G\. Thus "polynomial" means polylogarithmic 
in the size of the group. 

History and Context. Though a number of interesting results have been obtained 
on the non- Abelian HSP, the groups for which efficient solutions are known re- 
main woefully few and sporadic. On the positive side, Roetteler and Beth JS] 
give an algorithm for the wreath product ZÍ; l Z2. Ivanyos, Magniez, and San- 
tha JT] extend this to the more general case of semidirect products K K Z§ where 
K is of polynomial size, and also give an algorithm for groups whose commu- 
tator subgroup is of polynomial size. Friedl, Ivanyos, Magniez, Santha and Sen 



solve a problem they call Hidden Translation, and thus generalize this further 
to what they call "smoothly solvable" groups: these are solvable groups whose 
derived series is of constant length and whose Abelian factor groups are each the 
direct product of an Abelian group of bounded exponent and one of polynomial 
size 0]. 

In another vein, Ettinger and H0yer |2] show that the HSP is solvable for 
the dihedral groups in an information-theoretic sense; namely, a finite number of 
quantum queries to the function oracle gives enough information to reconstruct 
the subgroup, but the best known reconstruction algorithm takes exponential 
time. More generally, Ettinger, H0yer and Knill 3 show that for arbitrary groups 
the HSP can be solved information-theoretically with a finite number of quantum 
queries, but do not give an explicit set of measurements to do so. 

Our current understanding, then, divides groups in three classes 

I. Fully Reconstructible. Subgroups of a family of groups G = {G;} arc fully 

reconstructible if the HSP can be solved with high probability by a quantum 
circuit of sizc polynomial in log \ Gi\. 

II. Measurement Reconstructible. Subgroups of a family of groups G = 
{G,} are measurement reconstructible if the solution to the HSP for Gj is 
determined information-theoretically by the fully measured result of a quan- 
tum circuit of size polynomial in log \ Gi\. 

III. Query Reconstructible. Subgroups of a family of groups G = {G^} are 
query reconstructible if the solution to the HSP for Gi is determined by 
the quantum state resulting from a quantum circuit of polynomial size in 
log \ Gi\, in the sense that there is a POVM that yields the subgroup H with 
constant probability. (Note that there is no guarantee that this POVM can 
be implemented by a small quantum circuit.) 

In each case, the quantum circuit has oracle access to a function / : G — > S, for 
somc set S, with the property that / is constant on each left coset of a subgroup 
H, and distinct on distinct cosets. 

In this language, then, the result of [H] shows that subgroups of arbitrary 
groups are query reconstructible, whereas it is known that subgroups of Abelian 
groups are in fact fully reconstructible. The other work cited above has labored 
to place specific families of (non- Abelian) groups into the more algorithmically 
meaningful classes I and II above. 

All the above results use Abelian Fourier analysis, even in the cases in which 
the groups of interest are non- Abelian; it turns out that each of these groups 
are "close enough" to Abelian that a "forgetful" Abelian Fourier analysis, which 
treats the groups as though their multiplication rule was commutative, sufficcs 
to detect subgroups. Nevertheless, as we shall see, there are situations in which 
Abelian Fourier analysis will not suffice and, instead, the full power of the non- 
Abelian Fourier analysis associated with the group is requircd. 

Fourier analysis over a finite Abelian group A proceeds by expressing a func- 
tion / : A — > C as a linear combination of special functions x '■ A — > C which 
are homomorphisms of A into C. If A = Z p , for example, the homomorphisms 
from A to C are exactly the familiar functions \t '■ z l— * e 27Títz / p = lo 1 * and 



any function / : A — ► C can be uniquely expressed as a linear combination of 
these Xt\ this change of basis is precisely the Fourier transform. Whcn G is a 
non-Abelian group, however, this same procedure cannot work: in particular, 
thcrc arc not enough homomorphisms of G into C to even span the space of all 
C-valued functions on G. The representation theory of finite groups constructs 
the objects which can be used in place of the C-valued homomorphisms above to 
develop a satisfactory theory of Fourier analysis over general groups. See |17I5| 
for treatments of non-Abelian Fourier analysis and representation theory. In this 
general setting Fourier transforms are matrix-valued and our Fourier sampling 
algorithm might measure not just which representation we are in, but also the 
row and column. See Appendix lAl for more discussion. 

Along these lines, Hallgren, Russell, and Ta-Shma showed that measuring 
the names of representations alone — the weak standard method in the termi- 
nology of |ü] — can reconstruct normal subgroups (and thus solve the HSP for 
Hamiltonian groups, all of whose subgroups are normal). More generally, they 
show how to reconstruct the normal core of a subgroup, i.e. the intersection of 
all its conjugates. On the other hand, they show that this is insufRcient to solve 
the Graph Automorphism problem, since even in an information-theoretic sense 
this method cannot distinguish between the trivial subgroup of S n and most 
subgroups of order 2. 

Grigni, Schulman, Vazirani and Vazirani [d] showed that trivial and non- 
trivial subgroups are still information-theoretically indistinguishable, even if we 
do measure the rows and columns of the representation, under the assumption 
that a random basis is used for each representation. In other words, even the 
strong standard method, in which rows and columns are measured, cannot solve 
Graph Automorphism unless there exist bases for the representations of S n with 
very special computational properties. (They also point out that since we can 
reconstruct normal subgroups, we can also solve the HSP for groups whcrc the 
intersection of all normalizers (the Baer norm) has small index.) 

Contributions of this paper. An important open question, then, is whether there 
are cases in which the strong standard method offers any advantage over a simple 
Abelian transform or the weak standard method. In this paper, we settle this 
question in the affirmative. Our results deal primarily with semidirect products 
of the form Z g k Z p , the so-called q-hedral groups, including the affine group 
A p = Z* K Z p . We show the following: 

Theorem 1. Let p and q be prime with q = (p— l)/polylog(p). Then subgroups 
of 7L q K Z p are fully reconstructible. 

More generally, we define the Hidden Conjugate Problem as follows: given a 
group G, a non-normal subgroup H 7 and a function which is promised to be 
constant on the cosets of some conjugate bHb~ l of H, identify b. We adopt the 
above classification (fully/ measurement/ query) for this problem in the natural 
way Then we also show that 

Theorem 2. Letp be prime andq a divisor ofp—X. Then the hidden conjugates 
of H in G = ï q k Z p are fully reconstructible if H has index polylog(p). 



Moreover, our algorithms in Theorems Q and [21 rely crucially on the high- 
dimensional representations of Z g x Z p , and we show that Abelian methods (in 
other words, treating the group as a direct product rather than a semidirect one) 
do not suffice. 

We also generalize the results of Ettinger and H0yer on the dihedral group 
to the q-hedral groups: 

Theorem 3. Let p be prime and q a divisor of p — 1. Then hidden conjugates 
in 1 q k Z p are measurement reconstructible. 

We then reduce the general problem of hidden subgroup reconstruction in Z ç k Z p 
(and A p ) to Theorem |3 

Theorem 4. Let p be prime and q a divisor of p — 1. The subgroups of the 
q-hedral groups ï q ix Z p are measurement reconstructible. In particular, the sub- 
groups of the affïne are measurement reconstructible. 

In Theorems |3 and 01 we give an explícit set of efficiently computable measure- 
ments from which the subgroup can be reconstructed, with a (possibly exponen- 
tial) amount of classical computation. 

Finally, we show that the set of groups for which the HSP can be solved in 
polynomial time has the following closure property: 

Theorem 5. Let H be a group for which hidden subgroups are fully recon- 
structible, and K a group of polynomial size in log|iJ|. Then hidden subgroups 
in any extension of K by H , i.e. any group G with K < G and G/K = H , are 
fully reconstructible. 

This subsumes the results of jü] on Hamiltonian groups, and also those of [TT] 
on groups with commutator subgroups of polynomial size. 

The Non- Abelian Fourier Transform. To solve the HSP for the non- Abelian 
groups discussed above, we shall consider the more general setting of non- Abelian 
Fourier analysis. Briefly, we treat a representation as a homomorphism p : G — > 
U(d), where U(d) denotes the group of unitary operators on C d . We call d p = d 
the dimension of p. For a function / : G — > C and an irreducible representation 
p, we let f(p) denote the Fourier transform of / at p, given by 



A more complete description of the representations of a group G and the asso- 
ciated transform appear in Appendix^ The Fourier transform of a function of 
the form (|TJ is then 





As H is a subgroup, ^2 h p(h) is \H\ times a projection operator (see, e.g., [ü]); 
we write Y) h p(h) — \H\ tth- (Its rank is determined by the numbcr of copies of 
the trivial representation in the representation Ind^l.) With this notation, we 
write f(p) — ^JfTppic) ■ tth where n p = d p \H\/\G\. For a d x d matrix M, we let 
||M|| denote the matrix norm given by\\M\\= J2ij \Mij\ . Then the probability 
that we observe the representation p is 

a li 1 1 2 2 2 

f(p) =\\V^~pP( c ) 1ï h\\ =n p \\p(c)\\ \\ir H \\ = n p rkn H , 
where rk tth is the rank of the projection operator tth . See [ü] for discussion. 

2 The Affine Group A p 

Let A p be the affine group of size p(p — 1) for p prime, consisting of functions 
(a,b) : x i— ► ax + b on Z p acting by composition, where a € Z* and b G Z p . Thus 
A p is a semidirect product Z* K Z p where (ai,6i) • (02,^2) = (0112,^1 + 01^2) 
(we adopt the convention that functions compose on the right). We enumerate 
the subgroups below: 

— Let N = 1 p be the normal subgroup of size p consisting of elements of the 
form (1, b). 

— Let H be the non-normal subgroup of size p — 1 consisting of the elements 
of the form (a, 0). Its conjugates H h = (1, b) ■ H ■ (1, —b) consist of elements 
of the form (a, (1 — a)b). (In the action on Z p , H h is the stabilizer of b). 

— More generally, if a € Z* has order q, let N a = Z q ix Z p be the normal 
subgroup consisting of all elements of the form (a 4 , b), and let iï a be the non- 
normal subgroup H a = ((a, 0)) of size q. Then H a consists of the elements 
of the form (a*, 0) and its conjugates H. h a = (1, 6) • H a ■ (1, —6) consist of the 
elements of the form (a*, (1 — a*)ò). 

To discuss Ap's representations, fix a generator 7 of Z* and let : Z* — > Z p _i 
be the isomorphism 1^(7*) = t. Let u> p denote the p'th root of unity e 27ri /p . Then 
G has p — 1 one-dimensional representations <j s which are simply the represen- 
tations of Z* = Z p _i given by Ut{(a,b)) — dj* 1 ^^ and one (p — l)-dimensional 
representation p. In the multiplicative basis whose indices j, k are elements of 
Z*, we have: 

// 7\\ í v?? 'k = ai mod p . . ., 
p(K%, fe = ( p other i ise P ,l<J,fc<P. 

We review the construction of these representations in Appendix iBl 

The affine group — and more generally, the g-hedral groups we discuss below 
— are metacyclic groups, i.e. extensions of a cyclic group Z p by a cyclic group Z g . 
In |1U| . H0yer showed how to perform the non-Abelian Fourier transform over 
such groups in a polynomial (i.e. polylog(p)) number of elementary quantum 
operations. (In fact, he does this only up to an overall phase factor, but this is 
suficient for our purposes.) 



Conjugates of the Largest Non-Normal Subgroup. In this section we solve the 
Hiddcn Conjugate Problem, in which we are promised that / is a superposition 
over some coset of one of the conjugates H b of the largest non-normal subgroup 
H, and our job is to identify which conjugate, i.e. to identify b. First note that 
n p = d p \H\/\G\ = (p — í)/p = 1 — 1/p. Then a little calculation shows that, 
in the multiplicative basis, n(H b )j k = (1/p — 1) Up , 1 < j,k < p. This 
is a circulant matrix of rank 1. More specihcally, every column is some root 
of unity times the vector (ub)j = (1/p — 1) , 1 < j < P- This is also true 
of p(c) ■ ir(H b ); since p(c) has one nonzero entry per column, left multiplying 
by p(c) simply multiplies each column of ir(H h ) by a phase. Therefore, we can 
first carry out a partial measurement on the columns, and then transform the 
rows by left-multiplying p(cH) by the quantum Fourier transform over Z p _i, 
Qij = (í/p — 1) We can now infcr b by measuring the frequency í. We 

observe a given value of l with probability 



P(l) 



i v "p- 



1 



(p-lf 



i 

2i6j 



3=1 



2 



1 sin (jp — 1 



(p-lf 



where 9 = ( £ — ^zj) tt- Now note that for any 6 there is an í such that |6*| < 

7r/(2(p-l)). Since (2a;/7r) 2 < sin 2 x < x 2 for |x| < tt/2, this gives P(£) > (2/tt) 2 . 

Finally, the probability that we observed the (p— l)-dimensional representa- 
tion p in the first place is n p = 1 — 1/p. Thus if we measure the column, and 
then í and then guess that b minimizes we will be right Í2(l) of the time. 
We boost this to high probability by repeating a polynomial number of times. 

Subgroups with Large Index. We focus next on the Hidden Conjugate Problem 
for the subgroups H a where a's order q is a proper divisor oïp—1. Recali that a 
given conjugate of H a consists of the elements of the form (a 4 , (1 — a*)b). Then 
in the multiplicative basis we have 

^hDí k = -{ ^ ü ~ fe) k = at i mod p for some 1 , i < i, k < P 

q { otherwise 



In other words, the nonzero entries are those for which j and k are in the same 
coset of (a) c Z*. The rank of this projection operator is thus the number of 
cosets, which is the index (p — l)/o of (a) in Z*. Since n p is now g/p, we again 
observe p with probability n p rk 7r(i/) = (p — ï)/p = 1 — 1/p. 

We will show that we can reconstruct the conjugates of H a in polynomial 
time if a has large order, in particular when the index of (a) is polylog(p). If 
q is prime then H a is the only non-normal subgroup of 1 q k Z p , so we can 
completely solve the Hidden Subgroup Problem for these groups. For instance, 
if q is a Sophie Germain prime, i.e. one for which 2q + 1 is also a prime, we can 
solve the HSP for 1 q x T,2q+i- This establishes TiieoremQJ 

Following the same procedure as before, we do a partial measurement on the 
columns of p, and then Fourier transform the rows. After changing the variable 



of summation from t to — t and adding a phase shift of e -19 ^ -1 ) inside the | • | 2 , 
the probability we observe a frequency í, assuming we find ourselves in the fc'th 
column, is 



P(£) 



9-1 

E 

t=0 



, ,òfca 4 , -la* 



q(p - 1) 



3-1 

e i6(2a t k~ 

t=Q 



(P-I)) 



(2) 



Now note that the terms in the sum are of the form é 1 ^ where (assuming w.l.o.g. 
that 9 is positive) <j> <E [— 9(p — í),0(p — 1)]- If we again take l so that \d\ < 
lïj (2(p— 1)), then <\> G [—w/2, n/2] and all the terms in the sum have nonnegative 
real parts. We will lower bound the real part of the sum by showing that a 
constant fraction of the terms have € (— 7r/3, 7r/3), and thus have real part 
more than 1/2. This is the case whenever a*k £ (p/6, 5p/6), so it is sufficient to 
prové the following lemma: 

Lemma 1. Let a have order q — p/polylog(p). Then for any e > at least 
(1/3 — e)q of the elements in the coset (a)k are in the interval (p/6,5p/6). 

Proof. We will prové this using Gauss sums, which quantify the interplay be- 
twccn the additive and multiplicative behavior of Z p and thus establish bounds 
on the distribution of powers of a. Specifically, if a has order q in Z* then for any 

integer k ^ (modp) we have J2t=o = 0(p 1 / 2 ) = o(p). (See Appendix|0) 
Now suppose s of the elements x in (a)k are in the set (p/6, 5p/6), for which 
Reujp > —1, and the other q — s elements are in [0,p/6] U [5p/6,p), for which 

Reco* > 1/2. Thus we have Re J^tZo ^ k > (?/2) - (3s/2). If s < (1/3 - e)q 
for any e > this is 0(q), a contradiction. □ 
Now that we know that a fraction 1/3 — e of the terms in J5J have real part 
at least 1/2 and the others have real part at least 0, we can take e = 1/12 (say) 
and write 

1 fq\ 2 1 q 1 



P(£) > 

yj -q(p-l)\8J 8p-l polylog(p) 

Thus we observe the correct frequency with polynomially small probability, and 
we again boost this to high probability by repeating a polynomial number of 
times. This establishes Theorem|3 



3 The qr-hedral Groups 

In general, if a has multiplicative order q, then we are in the subgroup Z, k Z p C 
A p , the g-hedral group. In this section we show that the conjugates of H a are then 
measurement reconstructible — i.e. are information-theoretically reconstructible 
from a polynomial number of quantum queries given by a polynomial size quan- 
tum circuit, followed by a possibly exponential amount of classical computation. 
It follows that subgroups of the g-hedral groups are measurement reconstructible 
whenever q has polylog(p) divisors — for instance, A p (where q = p— 1) if p is a 
Fermat prime 2 k + 1. (Note also that for a prime selected at random in {1, . . . , n} 



for large n, p — 1 has no morè than polylog(p) divisors with high probability. ) 
This generalizes the results of Ettinger and H0yer [2] who showed this for the 
case q — 2, i.e. the dihedral groups. 

The representations of 1 q k Z p include the q one-dimensional representations 



of Z q given by a e ((a\ b)) 



g Z q and (p — l)/q g-dimensional representa- 



tions pfc, 



Pk(a u , b)) s ,t 



b t = s + u mod q 
otherwise 



< s,t < q 



Here k ranges over the elements of Z*/Z ç , or, to put it differently, k takes vàlues 
in Z* but pk and pk> are isomorphic if k and kl are in the same coset of (a). 
These pk are simply the (p — l)/q diagonal blocks of the (p — l)-dimensional 
representation p of A p (this is perhaps a little easier to see in the additive basis) . 
Thcn summing pk over the elements (a*, (1 — a')ò) gives nk(H^) St t = 

(1/q) Lüp^ a a ' 6 , < s,t < q. This is again a matrix of rank 1, where each 
column (even after left multiplication by Pfc(c)) is some root of unity times the 
vector (u k ) s — (l/<ï) wj"*'- Note that n p — q/p. 

We now wish to show that there is a measurement whose outcomes given 
two distinct vàlues of b have polynomial total variation distance. First, we per- 
forin a series of partial measurements as follows: (i.) measure the name of the 
representation; (ii.) measure the column of the representation; (ni.) perform a 
POVM with q outcomes, in each of which sisworii + 1 mod q for some u £ Z q . 
The total probability we observe one of the g-dimensional representations, since 
there are (p — l)/q of them, is n p (p — l)/q = 1 — 1/p. Then these three partial 
measurements determine fc, remove the effect of the coset, and determine that s 
has one of two vàlues, uoru+1. Up to an overall phase we can write this as a 
two-dimensional vector 

_t_ / ^' a " fc 

V2 Up aU+1& ' 

We now apply the Hadamard transform (1/^2)^^ and measure s. The prob- 
ability we observe u and u + 1 is then cos 2 9 and sin 2 9 respectively, where 
9 = (irka u (a — 1)6) jp. Now when we observe a g-dimensional representation, 
the k we observe is uniformly distributed over Z*/Z g , and when we perform the 
POVM, the u we observe is uniformly distributed over Z g . It follows that the 
coefhcient m — ka u (u — 1) is uniformly distributed over Z*. For any two distinct 
ò, b' , the total variation distance is then 



V 



— V 

p- i 



cos 



■ïïmb 
P 



irmb' 



nmb 



■Kmb' 



cos 



— Y 

-i 4; 



2(p-l) 



■Kmb 1 



2nmb 27rmò' 
cos cos 



(Adding thc m = term contributes zero to the sum in the second line. In the 
third line we use the facts that |x| < x 2 /2 for all \x\ < 2, the average of cos 2 is 
1/2, and the two cosines have zero inner product.) 

Since the total variation distance between any two distinct conjugates is 
bounded below by a constant, by Standard results in probability theory we can 
distinguish between the p different conjugates with only O(logp) = poly(n) 
queries. Thus hidden conjugates in q-hedral groups are measurement recon- 
structible, completing the proof of Theorem\^ 

What remains to be seen is that in a group of form 1 q x Z p , where q | p — 1, it 
is possible to determine the order of a hidden subgroup. Were this possible, based 
on Theorem|3| we could (measurement) reconstruct arbitrary hidden subgroups 
of Z 9 x Tip. Let H be a hidden subgroup of Z 9 x Z p given by the oracle / : 
Zç x Zp — ► S, and let p" 1 . . .p^ k be the prime factorization of q, in which case 
k < J2i a i — Cílog?)- For each i E [k], we will determine if pf* \ \H\. This 
sufíices to determine \H\, at which point the subgroup H can be determined by 
TheoremEl 

By initially applying the techniques of [S] (the weak Standard method), we 
may (fully) reconstruct H if H is a non-trivial normal subgroup. (This follows 
because these particular semidirect product groups have the special property 
that if A is a non-trivial normal subgroup and A C B, then B is normal; in 
particular, the normal core 

n tcv 1 

of any non-normal subgroup C is the identity group.) It remains to consider 
non-normal subgroups H. Recali that in this case, H is cyclic and \H\ is equal 
to the order of a, where H = ((a, 6)). Now, for each i £ [k] and 1 < a < ai, let 
T" : Z q x Z p — > Zç/pa be the homomorphism given by 

: (0,6)^0^. 

Then let Ap = kerY" = {7 £ Z q x Z p | 7^°* = 1}, where 1 denotes the identity 
element of Z ? x Z p . A"* is the subgroup of Z ç x Z p consisting of all elements 
whose orders are a múltiple of pf . Consider now the function 

(/,r°):Z g KZ^SxZ, w 

given by (/, Xj a )(7) = (/(7), T"(7)). Observe that (f,Tf) is constant (and dis- 
tinct) on the left cosets of íT fi Af and, furthermore, the subgroup H (1 Af has 
order p Q if and only if p a divides the order of a. We may then determine if 
H n Af has order p a by assuming that it does, applying the result of Theorem|31 
and checking the result against the original oracle /. This allows us to deter- 
mine the prime factorization of \H\, as desired. Therefore, all subgroups of the 
q-hedral are measurement reconstructible, completing the proof 

of Theorem^ 

However, as in the dihedral case we know of no polynomial-time algorithm 
which can reconstruct the most likely b from these queries. 



4 Failure of the Abelian Fourier Transform 



Suppose we try to reconstruct subgroups of A p using the Abelian Fourier trans- 
form over the direct product Z* x Z p instead of using ApS non- Abelian structure 
as a semidirect product. We first consider trying to solve the hidden conjugate 
problem for H a where a has order p — 1. 

If a is a generator, the characters of Z* x Z p are simply pk^ifl*, fe) 



Summing these over H a = {(a*, (1 
(k,£) with probability 



,kt , ,tb 
) p _ X U) p . 

a t )b} shows that we observe the character 



P(k,£) 



PÍP- l) 5 



E 



kt í(l-a*)ò 



tez/(p-i) 



PÍP - !) 5 



E 



k log 



-fxb 



This is the inner product of a multiplicative character with an additive one, 
which is another Gauss sum. In particular, assuming fe 7^ 0, we have P(0, 0) = 
1/p, P(0J ^ 0) = 1/00- !) 2 ) 5 p ( k ^ 0,0) = 0, and P(k ^ 0J ^ 0) = 
I/O - l) 2 - (See AppendixJÜ]) Since these probabilities don't depend on fe, the 
different conjugates H h a with fe 7^ are indistinguishable from each other. Thus 
it appears essential that we use the use non- Abelian Fourier transform and the 
high-dimensional representations of A p . 

(For the g-hedral groups, when q is small enough it is information-theoretically 
possible to reconstruct the subgroup from the Abelian Fourier transform. In fact, 
Ettinger and Ü0yer [5] use the Abelian Fourier transform over Z2 x Z p in their 
reconstruction algorithm for the dihedral groups.) 



5 Closure Under Extending Small Groups 

In this section we prové Theorem|5| that for any polynomial-size group K and 
any H for which we can solve the HSP, we can also solve the HSP for any 
extension of K by H, i.e. any group G with K <\G and G/K = H . (Notc that 
this is more general than split extensions, i.e. semidirect products H x K.) This 
includes the case discussed in 9 of Hamiltonian groups, since all such groups 
are direct products (and hence extensions) by Abelian groups of the quaternion 
group Q s 16 . It also includes the case discussed in |T of groups with commutator 
subgroups of polynomial size, such as extra-special p- groups, since in that case 
K = G' and H = G/G' is Abelian. Indeed, our proof is an easy generalization 
of that in g]. 

We assume that G and K are encoded in such a way that multiplication can 
be carried out in classical polynomial time. We fix some transversal t(h) of the 
left cosets of K. First, note that any subgroup L Ç G can be described in terms 
of i) its intersection Lfl K, ii) its projection Lh = L/(LP\ K) Ç H, and iii) 
a representative r}{h) £ L D (t(h) ■ K) for each h e Lh- Then each element of 
Lh is associated with some left coset of L n K, i.e. L — \J heL t]{h) ■ (L n K). 
Moreover, if S is a set of generators for L n K and T is a set of generators for 
Lhi then S U ~q(T) is a set of generators for L. 



We can reconstruct S in classical polynomial time simply by querying F on 
all of K. Then L í~)K is the set of all k such that F(k) — F(l), and we construct 
S by adding elements of L n K to it one at a time until they generate all of 

LnK. 

To identify Lh, as in 0] we define a new function F' on H consisting of the 
unordered collection of the vàlues of F on the corresponding left coset of K: 
F'(h) — {F(g) | g G t(h) -K}. Each query to F' consists of \K\ = poly(n) queries 
to K. The level sets of F' are clearly the cosets of Lh , so we reconstruct Lh by 
solving the HSP on H . This yields a set T of generators for Lh- 

It remains to find a representative r)(h) in L n (í(ft>) ■ if) for each h E T. 
We simply query F(g) for all 5 £ t(h) ■ K, and set 7](h) to any 5 such that 
F(g) = F(l). Since |T| = C(log |if|) = poly(n) this can be done in polynomial 
time, and we are done. 

Unfortunately, we cannot iterate this construction more than a constant num- 
ber of times, since doing so would require a superpolynomial number of queries 
to F for each query of F'. If K has superpolynomial sizc it is not clear how to 
obtain T](h), even when H has only two elements: this is precisely the difhculty 
with the dihedral group. This completes the proof of Theorem\^ 
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A The Non-Abelian Fourier Transform 

To solve the HSP for the non-Abelian groups discussed above, we shall have to 
consider the more general setting of non-Abelian Fourier analysis. Here, instead 
of the familiar basis functions hk(x) = Wp X , which are homomorphisms from 
7j p into C, we have reprès entations p which are homomorphisms from G into 
U(c0, the group of unitary d x d matrices with entries in C. We call d p — d the 
dimension of p. 

We say that two representations p : G — > U(d) and a : G — > U(d) are 
ísomorphic if there is a non-singular linear map i : C d — > C d for which p(g) o t = 
lo a(g) for every g G G. Though there are an infinite number of non-isomorphic 
representations of a given group G, there is a natural notion of "decomposition" 



that applies to such representations; with respect to this notion, a finitc group G 
has a finite number of "irreducible" representations up to isomorphism, and every 
other representation may be expressed in terms of these bàsic building blocks. 
Specifically, we say that a representation p : G — *■ U(c?) is reducible if there is a 
nontrivial subspace {0} Ç W C C d with the property that p{g)(W) C W for all 
g £ G. A representation is irreducible if no such subspace exists. 

For a given group G, there are only a finite number of irreducible represen- 
tations upto isomorphism; we let G denote a set of irreducible representations 
of G containing one from each isomorphism class. 

Let / : G — > C be a function and p an irreducible representation of G. Then 
the Fourier transform of f ai p, written f(p), is the operator 

The functional notation f(p) is somewhat misleading, as f(p) is a d p x d p matrix, 
the dimension d p being determined by the representation p. By selecting an 
orthonormal basis for C dp for each p, we may associate with / the family of 
complex numbers f(p)ij, where 1 < i,j < d p ; With the constants J d p /\G\, the 
linear transformation 

/ ^ (f(p)i,j) peG,i<i,j<d p 

is in fact unitary. 

The Fourier transform of a function of the form Q is then 



As H is a subgroup, J2hP(h) is 1-^1 times a projection operator (see, e.g., 
we write J2h pW = 1-^1 n H- (Its rank is determined by the number of copies of 
the trivial representation in the representation Indj^l.) With this notation, we 
write f(p) — ^np~ p(c) ■ tth where n p = d p \H\/\G\. For a d x d matrix M, we let 
|| Ai || denote the matrix norm given by ||M|| = \Mij\ . Then the probability 
that we observe the representation p is 

A II 1 1 2 2 2 

f(p) = ||-\AW( C W|| = n pllp( c )ll IWhW =n p rkir H , 

where rk tth is the rank of the projection operator tth ■ See jH] for more discus- 
sion. 



B Constructing A p 's Representations; Induced 
Representations 

In this Appendix we construct the (p — l)-dimensional representation of A p by 
inducing upward from a one-dimensional representation of the normal subgroup 
N = Z p . We begin with a short discussion of induced representations. 



Let G be a group, H a subgroup of G, and a : H — > U(rf) a representation of 
ií. We shall define a representation Ind^cr of G, the induced representation. Let 
r = {71, . . . , 7t} C G be a left transversal of íf in G, so that G = U 7e rjH, this 
union being disjoint. The representation Ind^u is defined on the vector space 
of dimension d|G|/|iJ| whose elements are formal sums X) 7 e_r 7 ' u 7' wnere each 
v 7 £ C d . Addition and scalar multiplication are given by the rule ^7 • u 1 + 

7 • v 1 = X) 7 ' ( u 7 + v ~i) an d c^7'« 7 = 52 7 ' cv i- Then Ind^cr is defined by 
linearly extending the rule 



where (7', h) is the unique pair in r x H so that 97 = j'h. 

Returning now to the affine group, let T t (l,b) 1— > cj* fc for < í < p be 
the p distinct one-dimensional characters of the normal subgroup N = Z p . Let 
H = Ap/N = Z*. Consider the conjugation action of H on these characters: 
that is, define (a, 0) r t (l, b) = r t [(a, 0)(1, b)(a, 0)" 1 ] = r t (l,a&) = r at (l,6). 
Note that this action has two orbits, one consisting of the trivial character tq 
and the other consisting of all non-trivial character. 

Now, considering the first orbit, consisting of To alone, we see that the isotropy 
subgroup is all of H. Now, let po be the extension of <7 to all of H (which 
makes sense, since it was stable under the íf-action). Then for each irreducible 
representation à of H, we get an irreducible representation a = Ind H p N (po £g) a). 
(Note that this gives rise to the representations a s above.) 

Focusing on the other orbit, for simplicity consider ò\. Since H is eyelic, 
the isotropy subgroup of o\ is the identity subgroup and this gives rise to the 

A A 

representation p — Ind^cTi. Now Ind^" operates on the vector space W — 
(1, 0)C © . . . - 1, 0)C. The action is 



which is precisely the (p — l)-dimensional representation p in the multiplicative 
basis. We can construct the g-dimensional representations of the q-hedral groups 
in a similar way. 

C Notes on Exponential Sums 

The bàsic Gauss sum bounds the inner produets of additivc and multiplicative 
characters of F p , the finite field with p elements. Definitive treatments appear 
in ^] §5] and ^21- Considering F p as an additive group with p elements, we 
have p additive characters \s ■ F p — > C, for s € F p , given by 



Ind^rO-(g) 7 • u 7 1— > 7' • a(h)v. 



'1 



pnd^(a,6)] • (1,0) 1 ► í 1 ((ai)- 1 6)(ai,0). 



so that 




X s : z i-> uj; 



SZ 



v ' 



where lj p — e 2lxl l'P is a primitive pth root of unity. Likewise considering the 
elements of F* = F p \ {0} as a multiplicative group, we have p — 1 characters 
i't : F; -> C, for í e F;, given by 

V't :0*>-» 

where w p _i = e 27 ™/^ -1 ) is a primitive p— lst root of unity and g is a multiplica- 
tive generator for the (cyclic) group F*. 

With this notation the bàsic Gauss sum is the following: 

Theorem 6. Let Xs be a multiplicative character and ipt an additive character 
of¥ p . If s ^ and t ^ 1 then 



zew p 

Otherwise 

_ (p-1 ifs = 0,t = l, 

X.(z)M*) = \ -1 ifs = 0,t^l, 

^ eF ; [o i/s^o,í = i. 

See [Q] §5.11] for a proof. 

This bàsic result has been spectacularly generalized. In the body of the paper 
we require bounds on additive characters taken over multiplicative subgroups of 
F*. Such sums are discussed in detail in |13j . The specific bound we require is 
the following. 

Theorem 7. Let \t be a nontrivial additive character of ¥ p and a € F* an 
element of multiplicative order q. Then 

(0(p^), *fq>P 2/ \ 
E X'( flZ ) = { OÍP 1 ^ 8 ), ifp 1/2 < q < P 2I \ 
z =0 [0(j> l / s q 5 / 8 ), ifp 1 ' 3 <q<p x l 2 . 

See p3 §2] for a proof. 

Note that in the body of the paper, we use Z p to denote the additive group of 
integers modulo p and Z* to denote the multiplicative group of integers modulo 
P- 



